The underground market for personally identifiable information is flourishing, with criminals paying as little as 20 cents to as much as $15 for verified credentials across the dark market. That’s the latest from RSA Security LLC, a data-security company.
The Bedford, Mass.-based firm released the 2018 Cybercriminal Shopping List Tuesday, which reveals how much criminals are willing to pay for certain types of data they can use to commit fraud. For example, consumer credentials associated with an e-commerce site may range in price from 20 cents to $8.50. Data from an online money-transfer service may cost as little as 50 cents to as much as $15.50. Factors affecting price include the consumer brand associated with the data, the type of service, and whether a payment card has been saved with the file, RSA says.
Another factor, and it’s one that consumers are constantly advised against, is whether the credentials might be shared across sites. “Cybercriminals, however, find user login information from every industry valuable because most people use the same user name and password for every online account,” Angel Grant, RSA director of fraud, risk intelligence, and identity management, says in an email to Digital Transactions News. “This means that if they get ahold of your credentials for a travel site, chances are those credentials are the same ones used to log on to your online bank.”
Delving into the underground market uncovers how this stolen data gets to criminals. In the past, stolen data had been bought and sold on forums on the dark Web, the part of the Internet not generally public, Grant says, but that has changed. “Much of this data, including live compromised financial information like credit card numbers with personal identifiers and authentication codes, can be found for sale in plain sight on social-media and messaging platforms like Facebook and WhatsApp,” she says.
In a recent report, RSA found an estimated 220,000 members of 500 fraud-dedicated social-media groups around the world. More than 60% of these individuals were on Facebook, despite Facebook’s prohibitions against these types of groups.
Because of the plethora of stolen data, criminals resort to data-mining tools to package the information to better sell it, Grant says. “For example, criminals can package up credit cards for a certain ZIP code. Additionally, they are creating more credential-testing tools, like SentryMBA, which allow the criminals to easily test the stolen credentials across multiple sites at once to see if they are still legitimate.”
Criminals, as with any customer base, need a way to pay for the ill-gotten data. “Many times, they use stolen cards to pay, but now their new darling has become payment by Bitcoin due to the anonymity that it provides,” Grant says. “Another means of payment is through money mules, which are typically recruited via work-at-home scams where the mules end up providing criminals access to their legitimate bank accounts to transfer funds via wire transfers.”